Merge pull request #37 from helium/feat/session-key-updates

Updating session-key validation

README.md

@@ -1,47 +1,7 @@
-# Helius RPC Proxy
+# RPC Proxy for Helius
 
-[![RPC Proxy](docs/rpc_proxy.png)](https://helius.xyz)
+The RPC Proxy is handled by a Cloudflare Worker.
 
-This repo hosts a one-click-deploy Cloudflare worker that proxies RPC requests to Helius. The proxy will allow you to keep your API key
-hidden from public requests made by clients. You will need both a [Helius](https://helius.xyz) account and a [Cloudflare](https://cloudflare.com) account to deploy this. Helius offers 100k credits for free each month, and Cloudflare workers can execute 100k invocations each day for free. Most projects can easily get started within these free tiers.
+Within Cloudflare, the `rpc-proxy-staging` worker denotes the worker corresponding to the Solana Devnet environment. Deployments to the staging RPC Proxy occur directly via GitHub Actions when PRs are merged to Main and on successful completion of the test suite.
 
-Both standard JSON RPC and Websockets are supported!
-
-[Video Walkthrough](https://www.loom.com/share/a7add579f1c349d2a4bcab96ee04c47e)
-
-# Setup
-### Step 1
-
-Press the button below to deploy this to your own Cloudflare account:
-
-[![Deploy to Cloudflare Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/helius-labs/helius-rpc-proxy)
-
-### Step 2
-
-Navigate to your newly deployed worker, and click "Settings" and then "Variables":
-
-![Variables](docs/add_variable.png)
-
-### Step 3
-Add a new variable with the key name `HELIUS_API_KEY` and your Helius API key as the value:
-
-![Add Secret](docs/add_secret.png)
-
-> NOTE: We recommend selecting "Encrypt". This will hide your key from the UI and API responses, and redact them from logs.
-
-![Encrypt](docs/encrypt.png)
-
-### Step 4
-Refresh the page and confirm that your key is now saved and encrypted:
-
-![Confirm](docs/confirm.png)
-
-You can now use your worker URL as an the RPC endpoint in all SDK and client side configurations without your API key leaking!
-# Additional Security Steps
-This implementation is intentionally left in a less-than-ideal security state to facilitate easy deployment by anyone. If you would like to
-lock down your RPC proxy further, consider the following steps after you have successfully deployed the worker:
-
-
-* Update the `Access-Control-Allow-Origin` header by adding a new variable with the key name `CORS_ALLOW_ORIGIN` to contain the host that your requests are coming from (usually your client application). For example, if you wanted to allow requests from `https://example.com`, you would change the header to `https://example.com`.
-* [Cloudflare Web Application Firewall (WAF)](https://www.cloudflare.com/lp/ppc/waf-x/) - You can configure the WAF to inspect requests and allow/deny based on your own business logic.
-* Modify the IP address allow list in Helius for your API key to only accept connections from the Cloudflare ranges (https://cloudflare.com/ips-v4).
+Similarly, the `rpc-proxy` worker denotes the worker corresponding to the Solana Mainnet environment. Deployments to the production RPC Proxy occur manually via the GitHub Actions control plane and can only be performed by those with requisite permissions and only after successful completion of the test suite.

jest-setup.ts

@@ -8,7 +8,8 @@ jest.setMock('node-fetch', fetch);
 
 process.env.CORS_ALLOW_ORIGIN = 'CORS_ALLOW_ORIGIN';
 process.env.HELIUS_API_KEY = 'HELIUS_API_KEY';
-process.env.SESSION_KEY = 'SESSION_KEY';
+process.env.SESSION_KEY_PREV = 'SESSION_KEY_PREV';
+process.env.SESSION_KEY_CURR = 'SESSION_KEY_CURR';
 process.env.AWS_REGION = 'AWS_REGION';
 process.env.AWS_ACCESS_KEY_ID = 'AWS_ACCESS_KEY_ID';
 process.env.AWS_SECRET_ACCESS_KEY = 'AWS_SECRET_ACCESS_KEY';

src/index.ts

@@ -40,10 +40,10 @@ export default {
 		// other query string params
 		const { searchParams, pathname } = new URL(request.url);
 		const sessionKey = searchParams.get('session-key');
-		if (sessionKey != env.SESSION_KEY) {
+		if (!sessionKey || ![env.SESSION_KEY_CURR, env.SESSION_KEY_PREV].includes(sessionKey)) {
 			return new Response(null, {
 				status: 404,
-				statusText: 'Unexpected path',
+				statusText: 'Invalid session key',
 			});
 		}
 		searchParams.delete('session-key');

src/tests/createLogStreamCommandBuilder.test.ts

@@ -13,7 +13,8 @@ describe('createLogStreamCommandBuilder', () => {
 	const originalEnv = {
 		CORS_ALLOW_ORIGIN: process.env.CORS_ALLOW_ORIGIN,
 		HELIUS_API_KEY: process.env.HELIUS_API_KEY,
-		SESSION_KEY: process.env.SESSION_KEY,
+		SESSION_KEY_PREV: process.env.SESSION_KEY_PREV,
+		SESSION_KEY_CURR: process.env.SESSION_KEY_CURR,
 		AWS_REGION: process.env.AWS_REGION,
 		AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID,
 		AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY,

src/tests/errorHandler.test.ts

@@ -21,7 +21,8 @@ describe('errorHandler', () => {
 	const originalEnv = {
 		CORS_ALLOW_ORIGIN: process.env.CORS_ALLOW_ORIGIN,
 		HELIUS_API_KEY: process.env.HELIUS_API_KEY,
-		SESSION_KEY: process.env.SESSION_KEY,
+		SESSION_KEY_PREV: process.env.SESSION_KEY_PREV,
+		SESSION_KEY_CURR: process.env.SESSION_KEY_CURR,
 		AWS_REGION: process.env.AWS_REGION,
 		AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID,
 		AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY,

src/tests/index.test.ts

@@ -11,7 +11,8 @@ describe('index', () => {
 	const originalEnv = {
 		CORS_ALLOW_ORIGIN: process.env.CORS_ALLOW_ORIGIN as string,
 		HELIUS_API_KEY: process.env.HELIUS_API_KEY as string,
-		SESSION_KEY: process.env.SESSION_KEY as string,
+		SESSION_KEY_PREV: process.env.SESSION_KEY_PREV as string,
+		SESSION_KEY_CURR: process.env.SESSION_KEY_CURR as string,
 		AWS_REGION: process.env.AWS_REGION as string,
 		AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID as string,
 		AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY as string,
@@ -23,7 +24,7 @@ describe('index', () => {
 		(fetch as jest.MockedFunction<typeof fetch>).mockImplementation();
 
 		const request = new Request(
-			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY}`,
+			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY_CURR}`,
 			{
 				method: 'POST',
 				headers: {
@@ -46,7 +47,7 @@ describe('index', () => {
 		(fetch as jest.MockedFunction<typeof fetch>).mockImplementation();
 
 		const request = new Request(
-			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY}`,
+			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY_CURR}`,
 			{
 				method: 'POST',
 				headers: {
@@ -64,14 +65,60 @@ describe('index', () => {
 		expect(fetch).not.toBeCalled();
 	});
 
+	test('handles invalid session-key',async () => {
+		(errorHandler as jest.Mock).mockImplementation();
+		(fetch as jest.MockedFunction<typeof fetch>).mockImplementation();
+
+		const request = new Request(
+			`https://solana-rpc.web.helium.io/?session-key=fail-me`,
+			{
+				method: 'POST',
+				headers: {
+					Host: 'solana-rpc.web.helium.io',
+				},
+				body: '{"jsonrpc": "2.0", }',
+			}
+		) as unknown as Parameters<typeof worker.fetch>[0];
+
+		const resp = await worker.fetch(request, originalEnv);
+
+		expect(resp.status).toEqual(404);
+
+		expect(errorHandler).not.toBeCalled();
+		expect(fetch).not.toBeCalled();
+	});
+
+	test('handles SESSION_KEY_PREV',async () => {
+		(errorHandler as jest.Mock).mockImplementation();
+		(fetch as jest.MockedFunction<typeof fetch>).mockImplementation();
+
+		const request = new Request(
+			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY_PREV}}`,
+			{
+				method: 'POST',
+				headers: {
+					Host: 'solana-rpc.web.helium.io',
+				},
+				body: '{"jsonrpc": "2.0", }',
+			}
+		) as unknown as Parameters<typeof worker.fetch>[0];
+
+		const resp = await worker.fetch(request, originalEnv);
+
+		expect(resp.status).toEqual(404);
+
+		expect(errorHandler).not.toBeCalled();
+		expect(fetch).not.toBeCalled();
+	});
+
 	test('does not invoke errorHandler', async () => {
 		(errorHandler as jest.Mock).mockImplementation();
 		(fetch as jest.MockedFunction<typeof fetch>).mockResolvedValue(
 			new Response(undefined, { status: 200 })
 		);
 
 		const request = new Request(
-			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY}`,
+			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY_CURR}`,
 			{
 				method: 'POST',
 				headers: {
@@ -93,7 +140,7 @@ describe('index', () => {
 		);
 
 		const request = new Request(
-			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY}`,
+			`https://solana-rpc.web.helium.io/?session-key=${originalEnv.SESSION_KEY_CURR}`,
 			{
 				method: 'POST',
 				headers: {

src/tests/putLogEventsCommandBuilder.test.ts

@@ -15,7 +15,8 @@ describe('putLogEventsCommandBuilder', () => {
 	const originalEnv = {
 		CORS_ALLOW_ORIGIN: process.env.CORS_ALLOW_ORIGIN,
 		HELIUS_API_KEY: process.env.HELIUS_API_KEY,
-		SESSION_KEY: process.env.SESSION_KEY,
+		SESSION_KEY_PREV: process.env.SESSION_KEY_PREV,
+		SESSION_KEY_CURR: process.env.SESSION_KEY_CURR,
 		AWS_REGION: process.env.AWS_REGION,
 		AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID,
 		AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY,

src/types.ts

@@ -1,7 +1,8 @@
 export interface Env {
 	CORS_ALLOW_ORIGIN: string;
 	HELIUS_API_KEY: string;
-	SESSION_KEY: string;
+	SESSION_KEY_PREV: string;
+	SESSION_KEY_CURR: string;
 	AWS_REGION: string;
 	AWS_ACCESS_KEY_ID: string;
 	AWS_SECRET_ACCESS_KEY: string;